ASIS2014: NUMDROID WRITE-UP

I’ve playing with Android CTF questions recently and found this jewelry box. One of the questions was about a numeric one way hash question named NUMDROID. The question was presented in ASIS2014 and here, I write the write-up!

Find the Numdroid Question

The question was a file of binary data. The first bytes (known as File Signatures) show that the file is a 7ziped file. Therefore I decompressed it and found the files inside compressed file.

FileType

The contents extracted from the file were parts of an APK.

Inside APK

So I zipped the files and signed by a self signed key. For more information about signing APK archives please refer to my previous post about smali code injection.

Make APK

Install is the Magic

First of all, I installed the APK in order to find what does it do. It was a screen with numpad inside and a back-OK keys.

First Attemp

Source Code is Another Magic

For the sake of the byte code, Java code is vulnerable against decompilation techniques if no obfuscation method is used. The code was clear! I used JADX which is very good decompiler for APK files.

The Code

After a fast overview of the source code, I found that the numeric input is hashed by an algorithm inside the code and checked against a string for being verified. I highlighted the code section for hash function.

The Digest

As it is visible in the isOK function, the password’s length is 7 at maximum.

Capturing the Flag

I’ve checked the next activity which will be shown after verification process. The activity shows MD5 of input number as the flag. Therefore finding the flag is about to cracking the hash function.

There are two ways for cracking:

Crypt Analysis and finding a way to revert the hashed string to its original value, which is not suitable for this kind of challenge.

Bruteforcing all ranges from 0 to 9999999 and calculating the hash.

I’ve select the second choice and bruteforce the range. For this aim, I’ve write a small piece of java code:

Bruteforce

And converted it to dex file in order to access its smali code.The needed tools are javac, dx and backsmali.

javac

Dexing the class

The Smali

Then I’ve injected the smali code inside the APK and put my bruteforce code inside onCreate() of the main activity. The bruteforce code will write the flag in Log of Android if the hash value is correct.

Bruteforce Smali Code

Calling the Code

Smali Code Injection

The Flag

Finally, after injection, I signed and installed the new APK on the Android Emulator and voila! the result.

Recompile

Sign the injected APK

The Flag

The Flag in Action

The code is MD5(3130110) and thus the flag is ASIS_{3C56E1ED0597056FEF0006C6D1C52463}.

Mir Saman

I'm currently an IT PhD. candidate at Urmia University. I'm interested in Social Network Analysis, Big Data Mining, and NLP in my academical field as well as Guitar, Nature, and Android!
View all posts by Mir Saman